Proper CNAME interpretation

Kevin Darcy kcd at chrysler.com
Wed Sep 14 22:58:46 UTC 2011 

On 9/14/2011 5:52 PM, Chuck Swiger wrote:
> On Sep 14, 2011, at 2:27 PM, Ronald F. Guilmette wrote:
>> The second part however seems to go more to my question, which is "What is
>> the resolver supposed to do when some knucklehead breaks the rules and puts
>> a CNAME in with some other stuff?"
> Depends on which query one issued.  The very next paragraph of RFC-1034 is:
>
> "CNAME RRs cause special action in DNS software.  When a name server
> fails to find a desired RR in the resource set associated with the
> domain name, it checks to see if the resource set consists of a CNAME
> record with a matching class.  If so, the name server includes the CNAME
> record in the response and restarts the query at the domain name
> specified in the data field of the CNAME record.  The one exception to
> this rule is that queries which match the CNAME type are not restarted."
>
> In other words, if you ask for an A record, and you get back both a CNAME and an A record, then the A record matches and that's what gethostbyname()/getaddrinfo() or whatever should receive from the resolver.  If you asked for an AAAA record, and got that same reply of a CNAME and an A record, then the resolver should chase the CNAME's data field.
>
>> It sure _sounds_ like that second sentence is encouraging any&  all people
>> who are writing resolvers, or other related tools, that they should ignore
>> any flotsam&  jetsum that appear along side a CNAME.  But is that encourage-
>> ment espressed anywhere as a "MUST"?
> By no means.  You only ought to chase a CNAME if you got a CNAME *instead* of the resource type that you asked for.'
Indeed. It should be noted that not only does the graphiteops.com name 
break the "CNAME and other" rule, but it's a *self-referential* CNAME 
(rdata = graphiteops.com), so if one tried to chase it, one could chase 
infinitely. This is, presumably, what RFC 1034 calls a "CNAME loop", and 
according to that document ("Of course, by the robustness principle, 
domain software should not fail when presented with CNAME chains or 
loops; CNAME chains should be followed and CNAME loops signalled as an 
error") I would have expected nslookup and/or dig to have error'ed out 
when encountering this. Are those utilities not considered "domain 
software"? Hard to know, since neither 1034 nor 1035 define that term...


                                                                         
                                                                         
                                     - Kevin

More information about the bind-users mailing list